Description
Subscriber Cross Site Scripting (XSS) in FV Flowplayer Video Player < 7.5.51.7212 versions.
Published: 2026-06-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The issue is a subscriber‑based Cross Site Scripting (XSS) flaw that allows an attacker to inject arbitrary script into pages rendered for users with subscriber roles. The vulnerability arises from unsanitized input that is reflected in the plugin’s output, enabling the execution of malicious code in the victim’s browser. An exploited XSS can lead to credential theft, session hijacking, or defacement of the site while affecting the confidentiality, integrity, and availability of the web interface.

Affected Systems

This flaw affects the WordPress FV Flowplayer Video Player plugin from FolioVision when its version is older than 7.5.51.7212. Any WordPress installation that has this plugin installed and is below the specified version is at risk. The vendor’s advisory explicitly lists these product versions as affected.

Risk and Exploitability

The CVSS vector yields a score of 6.5, indicating moderate severity. The EPSS score of less than 1% suggests a low probability that the flaw has already been exploited in the wild, and the vulnerability is not recorded in the CISA KEV catalogue. Nonetheless, because the attack vector is likely a web page that renders plugin output to subscribers, an attacker who can inject content via the plugin's settings or media uploads can trigger XSS. Consequently, the risk remains significant for sites that rely heavily on subscriber content sent through the plugin.

Generated by OpenCVE AI on June 18, 2026 at 00:24 UTC.

Remediation

Vendor Solution

Update the WordPress FV Flowplayer Video Player Plugin to the latest available version (at least 7.5.51.7212).


OpenCVE Recommended Actions

  • Update the FV Flowplayer Video Player plugin to at least version 7.5.51.7212 or newer.
  • Sanitize any user‑supplied data that the plugin might render on subscriber‑only pages before it is displayed.
  • If an update cannot be applied immediately, consider disabling or removing the plugin until a patched version is available.

Generated by OpenCVE AI on June 18, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Foliovision
Foliovision fv Flowplayer Video Player
Wordpress
Wordpress wordpress
Vendors & Products Foliovision
Foliovision fv Flowplayer Video Player
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Cross Site Scripting (XSS) in FV Flowplayer Video Player < 7.5.51.7212 versions.
Title WordPress FV Flowplayer Video Player plugin < 7.5.51.7212 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Foliovision Fv Flowplayer Video Player
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T21:36:43.747Z

Reserved: 2026-06-01T15:29:19.865Z

Link: CVE-2026-49773

cve-icon Vulnrichment

Updated: 2026-06-15T21:36:40.602Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:22.173

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49773

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T00:30:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')